Kevin Fu, 33

Defeating would-be hackers of radio frequency chips in objects from credit cards to pacemakers

University of Massachusetts, Amherst

Could implanted medical devices that use wireless communication, such as pacemakers, be maliciously hacked to threaten patients' lives? Kevin Fu is no stranger to such overblown scenarios based on his research, though he prefers to stick to talking about technical details. But Fu, a software engineer and assistant professor of computer science, is a security guy. And security people think differently.

"Anyone who works in the world of security--they always have an adversary in mind," Fu explains, sitting behind his desk on the second floor of the UMass Amherst c­omputer science building. "That's how you can best design your systems to defend against it."

The threats Fu researches are chiefly those connected to the security of radio ­frequency identification, or RFID. RFID is an increasingly common technology, used in everything from tags for shipping containers to electronic key cards, from Exxon­Mobil's Speedpass key-chain wands to Chase's no-swipe "Blink" credit cards. It allows billing and personal information to be shared quickly and wirelessly. But not, Fu realized back in 2006, very securely.

After testing more than 20 such "smart" or no-swipe credit cards from MasterCard, Visa, and American Express, Fu and his colleagues found that they could lift account numbers and expiration dates from several of the cards--even cards inside a wallet--just by walking past them with a homemade scanner.

Criminals troll mailboxes, shopping malls, and airports, harvesting nearby RFID information for use in identity-theft scams. Basically, they pick your pocket without ever touching your pocket. Making these cards truly secure would require good encryption software--Fu's specialty. But encryption requires a steady supply of energy, something that the passive, externally powered RFID chips used in these applications don't have. "The inspiration was about the programming," Fu explains. "But the programming won't work without an RFID computer to program. And the RFID computer won't work without solving the energy issues." He breaks a weary smile. "So, thus far, it's been something like a two-year sideline."

The only way for Fu to resolve this catch-22 is to invent new technology--a project he's working on with a team led by Wayne Burleson, a professor of electrical and computer engineering. But even as he wrestled with this problem, Fu found himself wondering, as only a security guy can: if financial information is vulnerable, what about seemingly more obscure targets with far bigger consequences?

This is what first brought him to the heart-attack machine.

At his desk, Fu clicks through a ­Power­Point slide show of bad-guy examples, from the madman who put cyanide-laced Tyleno­l on Chicago drugstore shelves in 1982 to the hacker who posted seizure-inducing animations on an Internet message board for epileptics.

"It might seem paranoid," Fu admits, "but from a security standpoint, you need to start with the fact that bad people do exist." And there seemed no better place to hunt such misanthropes than the world of medicine.

Fu began wondering about the security of medical devices that use RF communication, such as pacemakers and defibrillators. He discussed the problem with his longtime colleague Tadayoshi Kohno, assistant professor of computer science and engineering at the University of Washington and a veteran investigator into the vulnerabilities of computer networks and voting machines (see TR35, September/October 2007).

"Kevin is a fantastic researcher," Kohno says. "His research is now covered in almost every undergraduate computer-security course that I know of. And his insights are exceptionally deep." Together, Fu and Kohno took their questions about de­fibrillators far from the computer ­science lab--into the world of cardiologist William H. Maisel, director of the Medical Device Safety Institute at Boston's Beth Israel Deaconess Medical Center.

The two explained to Maisel's wide-eyed staff how security people think. In turn, the medical professionals introduced the security researchers to Cardiology 101--starting with pacemakers and defibrillators, devices that are implanted in some half-million people around the world every year. Basically, a pacemaker regulates aberrant heartbeats with gentle metronomic pulses of electricity, while a defibrillator provides a big shock to "reboot" a failing heart. Merged, they form an implantable cardioverter defibrillator, or ICD. The ICD is designed to stop a heart attack in a cardiac patient. But, Fu and Kohno wondered, could it create one instead?

In his UMass office, Fu pulls out a shoebox containing the works of an ICD. It looks the way the Tin Man's heart might: padlock-sized and encased in hard, silvery surgical steel, now peeled away can opener-style. I instinctively reach in, drawn like a magpie to the shiny objects. Fu quickly jerks the box away. "Um, you don't want to touch that," he says. "The coil in these things delivers 700 volts"--enough juice to stop your heart.

He points out the matchbook-sized microchip and antenna coil--technolog­y that connects the latest-generation ICDs with the Internet, allowing doctors to re­program a device without surgery. From the perspective of cardiologists and patients, this wireless programming is a godsend. But from Fu's viewpoint, it represents a new security risk. And so he wondered: Could black-hat hackers listen in on the wireless communication between an ICD and its programming computer? Could they make sense of what they heard and use it to inflict harm?

"Most people who make these devices don't think like this," Fu says. "But this is how the adversary thinks. He doesn't play your game; he makes his own game." To assess the security threat, the researchers needed to play the hacker's game.

Catching bugs: By exposing ways for wireless devices to be hacked, Fu has alerted manufacturers to the potential dangers that their customers face. He found that implanted cardiac devices are particularly vulnerable. Credit: Steve Moors

Fu's team set out to create a technique to eavesdrop on defibrillator chatter. The hardware was just off-the-shelf stuff--a platform designed to allow researchers and serious hobbyists to build their own software radios. It has been made into FM radios, GPS receivers, digital te­levision decoders--and RFID readers. All that was left was to write the software, rip the antenna coil out of an old pacemaker, solder it into the radio--and voilà, they had a transmitter.

"It worked pretty well--amazingly well," Fu says. After "nine months of blood and sweat," they could intercept digital bits from an ICD--but they had no idea what those bits meant. His students trudged back to the lab to figure out how to interpret them. Using differential analysis--basically, changing one letter of a patient's name and then listening to how the corresponding radio transmission changed--they were able to painstakingly build up a code book.

Now their homemade software radio could listen in on and record ICD programming commands. The device could also rebroadcast those recordings, as fresh commands, to any nearby ICD. It had become dangerously capable of playing doctor.

Fu discovered one set of commands that would keep an ICD in a constant "awake" state, surreptitiously draining the battery to devastating effect. "We did a back-of-the-envelope calculation on this," he explains. "A battery designed to last a couple years could be drained in a couple weeks. That alone was a notable risk."

Even more notable, Fu's software radio was capable of completely reprogramming a patient's ICD while it was in his or her body. The researchers were able to instruct the device not to respond to a cardiac event, such as an abnormal heart rhythm or a heart attack. They also found a way to instruct the defibrillator to initiate its test sequence--effectively delivering 700 volts to the heart--whenever they wanted.

Fu doesn't like to think of himself as h­aving built a heart-attack machine, or even of discovering that such a thing could be built. Though he is an academic who doesn't shy away from pursuing real-world applications for his theoretical technologies, that "real world" is usually at least 10 years in the future. But the ramifications of the ICD-programming radio were both immediate and chilling: the device could be easily miniaturized to the size of an iPhone and carried through a crowded mall or subway, sending its heart-attack command to random victims.

A heart-attack machine? Really? It would be foolish, Fu says, not to recognize that there are depraved people out there, more than capable of building and using such a machine to inflict harm on random innocents "just for kicks." To this extent, the issue of protecting remote programming access to ICDs is directly related to the issue of protecting RFIDs. Encrypting the communication is the only way to shield millions of people from random risks. It doesn't take a Fu to come up with practical solutions, but by exposing the security dangers he has provided a valuable, perhaps even life-saving, alert to manufacturers.

Fu is too smart to engage in speculation about how the technology could be abused, except to say that he'd be very surprised if there weren't "people already working on this." In the best case, we'll never know how foresighted he was; medical-device maker­s will eliminate the threat before hackers ever exploit it. "Kevin is a computer scientist who also has the ability to look at problems like a medical doctor and like a patient," says Maisel. "The work Kevin is doing now--relating to medical-device security and privacy--has the potential to impact millions of people."

How about the more dramatic scenario­s? Imagine a spy agency using printed circuitry to put a heart-attack machine into a news­paper, delivered with morning coffee to a foreign leader with a pacemaker. Or a Lex Luthor-like supervillain who retrofits a radio tower to broadcast his death ray to entire populations.

Kevin Fu--professor, researcher, scientist--rolls his eyes. "All I can say about that one," he says with a laugh, "is it might make a pretty good movie." --Charles Graeber

In the best case ... medical-device maker­s will eliminate the threat before hackers ever exploit it

Yes, but swapping out a pacemaker is an invasive and somewhat dangerous operation. Not too long ago, several people died because their suspected-defective pacemakers were not swapped out due to that risk. Even if the medical-device makers eliminate the vulnerability in their new models (and it might take a significant amount of testing time to make sure those models function correctly), there's still an installed base out there.